IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Lanlan Pan <abbypan@gmail.com> Mon, 14 August 2017 04:57 UTC

Return-Path: <abbypan@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0221252BA for <dnsop@ietfa.amsl.com>; Sun, 13 Aug 2017 21:57:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8j5l4VQf-Z5C for <dnsop@ietfa.amsl.com>; Sun, 13 Aug 2017 21:57:02 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FB87124BE8 for <dnsop@ietf.org>; Sun, 13 Aug 2017 21:57:01 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id i66so34527806wmg.0 for <dnsop@ietf.org>; Sun, 13 Aug 2017 21:57:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qyML1dxA7cDov/JC1mlMaxTPN3QkLG9rDSPCX9yKPSU=; b=hKkQHTMGY3X1kbvyHHKfU4C07YzCOr+630+PNSsZT4uKi6RGGjds+3chuiJs3yVr+M OPqIIgA9tyVLPDuic9EhFkd0jmxqR07mC1VLq2P6kUgMG9up9qqhgoHH0QdRekd09/c5 97COS+iBDCaHtI3r6gR0ooBzj8+W7ae3xEElvoDaJ2F5L6h8MERjBXM6vH9bnR1xe5da z5GeDieEhLgtNpJf7fmptsxuRsDZxGgere3NnnlEjaE4QQ7YwVo+6Yn1GwqyZUgplQOM xQ0QBcjnxlAAW0UOM+Yy/0E4VTGa8Qm3wjrhMqC3gAKC4brPINkz879asF1fqeXI8cpo XtUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qyML1dxA7cDov/JC1mlMaxTPN3QkLG9rDSPCX9yKPSU=; b=KG5UQ39kz6eqrC0KsgpQ7TwhxWbqDESuwGOl3Ww85OdQUjhLZ8+Uh/S67yeuRm2Blu y09Mvue0Qc9+KqrDafCur6z3QHEE1Y+iuBrqI+OP1ezmi/wsnfiyvuAKkSPDvMUw4/hC F562V9abI/ad1LPQQH8gPfh5wQZNDaeauBGrNlOe+JYcvzLonWo7xmF7oth09JRWdP8K +dzs1nY9P+JlQOTwqvyr4mMyw2WM7WpFFK9XkYYdscZaY15nxJR7EhCpOPUcNXCcY/AV xJPmIh+72nGOaKQR/kD16O6xkokoSxku+Qxn3zQ+4SFbOXsekXe1fuSWp3LhJwEHvHDK uO9g==
X-Gm-Message-State: AHYfb5iHlPeyE9Cwjhm7FqYOePC+IHXbBT8tjR/E+bJL66Rd+MDJusY/ j+WzGMK+mQBTRz+a8emsvrXjWMmYQhal
X-Received: by 10.80.138.6 with SMTP id i6mr22722551edi.247.1502686620193; Sun, 13 Aug 2017 21:57:00 -0700 (PDT)
MIME-Version: 1.0
References: <149908054910.760.8140876567010458934.idtracker@ietfa.amsl.com> <CAAiTEH8ntOerB6MGKMS2xcCK3TL9n4fyLq6F+bpUY6oTUpWN8w@mail.gmail.com> <CANLjSvWOzaJcVL64BhNFKnTUEgfq06TQtoy=ZNJ_JafvPU1aSA@mail.gmail.com> <1659363.yAWSxLQAC2@tums.local>
In-Reply-To: <1659363.yAWSxLQAC2@tums.local>
From: Lanlan Pan <abbypan@gmail.com>
Date: Mon, 14 Aug 2017 04:56:49 +0000
Message-ID: <CANLjSvUkoYt1LXwVQ90MVej6mwOg4Q_2=PT=+Rwrf=8k5WAaRA@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Matthew Pounsett <matt@conundrum.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Petr Špaček <petr.spacek@nic.cz>, Vladimír Čunát <vladimir.cunat@nic.cz>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1957843499dc0556af7ed6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4p83nySK9lBk5n0ZcZQRfUGQqfE>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 04:57:04 -0000

Hi Paul,

Maybe it makes a mountain out of a molehill.
"Give to the emperor the things that are the emperor's, and to God the
things that are God's.“, we can seperate security issue and subdomain
wildcard cache issue.

I think,  SWILD has no influence on DNSSEC deployment :
1) If recursive wants to deploy DNSSEC, it is almost impossible because of
NSEC/NSEC3 aggressiveuse Wildcards. *Security need is the greatest
motivation behind DNSSEC depolyment.*
2) If recursive doesn't want to deploy DNSSEC, it is almost impossible
because of SWILD. Imagine that, there is no SWILD to give precise subdomain
wildcard information from authoritative, recursive can use random subdomain
detect method to make cache optimization, which was described in DNS Noise:
Measuring the Pervasiveness ofDisposable Domains in Modern DNS Traffic
<http://astrolavos.gatech.edu/articles/dnsnoise-dsn2014.pdf>.

But the rate of "DNSSEC + NSEC + default dns query with DNSSEC” has
influnence on subdomain wildcard cache issue if we only accept unique
solution depend on it.

Paul Vixie <paul@redbarn.org>于2017年8月12日周六 下午11:42写道:

> On Saturday, August 12, 2017 8:29:45 AM GMT Lanlan Pan wrote:
> > ...
> >
> > SWILD is a feature just for recusive cache optimization, only dealing
> with
> > the wildcard subdomain issue (with no nodes below).
> > DNSSEC + NSEC aggressive is security feature, with cryptographic contents
> > such as KSK/ZSK/NSEC/NSEC3/NSEC5/...
> >
> > My assumption is: *we can give recursive server an alternative solution
> for
> > wildcard subdomain cache issue, not need to depend on DNSSEC.*
> > Authoritative server just simply add one SWILD RR, not much deploy cost.
> > Recursive server can add SWILD support if it has an interest in wildcard
> > subdomain cache optimization,  it is OPT-IN.
> >
> > *I don't expect implementers would adopt SWILD 100% before adopting
> > DNSSEC+NSEC aggressive. Just give an alternative choice, implementers can
> > decide adopting or not, before or after, we won't pre-select for them.*
>
> we do, though, and we must. DNSSEC development began in 1996, and
> deployment
> is stalled due to lack of motivation. it is the IETF's position that
> DNSSEC is
> a public good in that it will enable a general world-wide security level
> that
> has always eluded the Internet.
>
> any DNSSEC feature that we decide to offer separately ("a la carte") is
> both a
> missed opportunity to increase the deployment of DNSSEC, and a
> self-inflicted
> wound that deliberately further stalls that deployment.
>
> noting that DNSSEC as a protocol is of atrociously low quality ("it's
> crap"),
> i am in no way defending the design itself. however, it does work, and we
> would be acting contrary to our own best interests ("folly") if we took up
> anything like SWILD, or allowed anything like SWILD on the individual
> track.
>
> failing that level of commitment, the IETF ought to kill DNSSEC altogether.
>
> this is very similar to the "shall we had IPv6's features to IPv4, since
> V6 is
> taking so long to deploy, and these features are badly needed?" debate.
>
> vixie
>
-- 
致礼  Best Regards

潘蓝兰  Pan Lanlan

v2.23.0 | Report a Bug | By Email